openwrt/package/network/services/dropbear/files/dropbear.init

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2006 Carlos Sobrinho

START=19
STOP=50

USE_PROCD=1
PROG=/usr/sbin/dropbear
NAME=dropbear
PIDCOUNT=0

extra_command "killclients" "Kill ${NAME} processes except servers and yourself"

_dropbearkey()
{
	/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&-
}

# $1 - host key file name
hk_verify()
{
	[ -f "$1" ] || return 1
	[ -s "$1" ] || return 2
	_dropbearkey -y -f "$1" || return 3
	return 0
}

# $1 - hk_verify() return code
hk_errmsg()
{
	case "$1" in
	0) ;;
	1) echo "file does not exist" ;;
	2) echo "file has zero length" ;;
	3) echo "file is not valid host key or not supported" ;;
	*) echo "unknown error" ;;
	esac
}

# $1 - config option
# $2 - host key file name
hk_config()
{
	local x m
	hk_verify "$2"; x=$?
	case "$x" in
	0)	procd_append_param command -r "$2"
		;;
	*)	m=$(hk_errmsg "$x")
		logger -t "${NAME}" -p daemon.warn \
		  "option '$1', value '$2': $m, skipping"
		;;
	esac
}

# $1 - host key file name
hk_config__keyfile()
{
	hk_config 'keyfile' "$1"
}

hk_generate_as_needed()
{
	local kdir kgen ktype tdir kcount tfile
	kdir='/etc/dropbear'

	kgen=''
	for ktype in ed25519 ecdsa rsa; do
		hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue

		kgen="${kgen} ${ktype}"
	done

	[ -z "${kgen}" ] && return

	tdir=$(mktemp -d); chmod 0700 "${tdir}"

	kcount=0
	for ktype in ${kgen}; do
		tfile="${tdir}/dropbear_${ktype}_host_key"

		if ! _dropbearkey -t ${ktype} -f "${tfile}"; then
			# unsupported key type
			rm -f "${tfile}"
			continue
		fi

		kcount=$((kcount+1))
	done

	if [ ${kcount} -ne 0 ]; then
		mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}"
		mv -f "${tdir}/"* "${kdir}/"
	fi

	rm -rf "${tdir}"
}

append_ports()
{
	local ipaddrs="$1"
	local port="$2"

	[ -z "$ipaddrs" ] && {
		procd_append_param command -p "$port"
		return
	}

	for addr in $ipaddrs; do
		procd_append_param command -p "$addr:$port"
	done
}

validate_section_dropbear()
{
	uci_load_validate dropbear dropbear "$1" "$2" \
		'PasswordAuth:bool:1' \
		'enable:bool:1' \
		'Interface:string' \
		'GatewayPorts:bool:0' \
		'RootPasswordAuth:bool:1' \
		'RootLogin:bool:1' \
		'rsakeyfile:file' \
		'keyfile:list(file)' \
		'BannerFile:file' \
		'Port:port:22' \
		'SSHKeepAlive:uinteger:300' \
		'IdleTimeout:uinteger:0' \
		'MaxAuthTries:uinteger:3' \
		'RecvWindowSize:uinteger:0' \
		'mdns:bool:1'
}

dropbear_instance()
{
	local ipaddrs

	[ "$2" = 0 ] || {
		echo "validation failed"
		return 1
	}

	[ -n "${Interface}" ] && {
		[ -n "${BOOT}" ] && return 0

		network_get_ipaddrs_all ipaddrs "${Interface}" || {
			echo "interface ${Interface} has no physdev or physdev has no suitable ip"
			return 1
		}
	}

	[ "${enable}" = "0" ] && return 1
	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"

	procd_open_instance
	procd_set_param command "$PROG" -F -P "$pid_file"
	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
	[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
	[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
	if [ -n "${rsakeyfile}" ]; then
		logger -t ${NAME} -p daemon.warn \
			"option 'rsakeyfile' is considered to be deprecated and" \
			"will be removed in future releases, use 'keyfile' instead"
		hk_config 'rsakeyfile' "${rsakeyfile}"
	fi
	config_list_foreach "$1" "keyfile" hk_config__keyfile
	[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
	append_ports "${ipaddrs}" "${Port}"
	[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
	[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
	[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
	[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
		procd_append_param command -W "${RecvWindowSize}"
	[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
	procd_set_param respawn
	procd_close_instance
}

load_interfaces()
{
	config_get interface "$1" Interface
	config_get enable "$1" enable 1

	[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
}

boot()
{
	BOOT=1
	start "$@"
}

start_service()
{
	hk_generate_as_needed

	. /lib/functions.sh
	. /lib/functions/network.sh

	config_load "${NAME}"
	config_foreach validate_section_dropbear dropbear dropbear_instance
}

service_triggers()
{
	local interfaces

	procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload

	config_load "${NAME}"
	config_foreach load_interfaces dropbear

	[ -n "${interfaces}" ] && {
		for n in $interfaces ; do
			procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
		done
	}

	procd_add_validation validate_section_dropbear
}

shutdown() {
	# close all open connections
	killall dropbear
}

killclients()
{
	local ignore=''
	local server
	local pid

	# if this script is run from inside a client session, then ignore that session
	pid="$$"
	while [ "${pid}" -ne 0 ]
	 do
		# get parent process id
		pid=$(cut -d ' ' -f 4 "/proc/${pid}/stat")
		[ "${pid}" -eq 0 ] && break

		# check if client connection
		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
			append ignore "${pid}"
			break
		}
	done

	# get all server pids that should be ignored
	for server in $(cat /var/run/${NAME}.*.pid)
	 do
		append ignore "${server}"
	done

	# get all running pids and kill client connections
	local skip
	for pid in $(pidof "${NAME}")
	 do
		# check if correct program, otherwise process next pid
		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
			continue
		}

		# check if pid should be ignored (servers, ourself)
		skip=0
		for server in ${ignore}
		 do
			if [ "${pid}" = "${server}" ]
			 then
				skip=1
				break
			fi
		done
		[ "${skip}" -ne 0 ] && continue

		# kill process
		echo "${initscript}: Killing ${pid}..."
		kill -KILL ${pid}
	done
}